Impact of Executive Order 14117 and DOJ’s Final Rule on HIEs Operating as Business Associates

Impact of Executive Order 14117 and DOJ’s Final Rule on HIEs Operating as Business Associates

by | May 21, 2025 | , ,

The U.S. Department of Justice’s Final Rule titled Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons became effective on April 8, 2025, but its compliance requirements are currently stayed until July 8, 2025 to give organizations time to adjust. This sweeping rule applies to U.S. hospitals, health systems, health information exchanges (HIEs), health IT and cloud vendors, research institutions, and any other U.S. persons or entities that handle, transfer, or store large volumes of sensitive personal data. HIEs should coordinate closely with legal counsel to update their compliance programs and ensure that no aspect of their technology stack or vendor chain inadvertently creates a prohibited or restricted data transaction.

read more
Battle of the Bots Continues…Fourth Circuit Affirms Preliminary Injunction Against PointClickCare

Battle of the Bots Continues…Fourth Circuit Affirms Preliminary Injunction Against PointClickCare

by | Mar 25, 2025 | , ,

Continuing the saga of Real Time and PointClickCare in the battle of the bots, the U.S. 4th Circuit recently affirmed a preliminary injunction granted in favor of Real Time against PointClickCare, finding, among other things, that PointClickCare was unable to meet a burden of proof that it met its claimed Exceptions to Information Blocking. Therefore, documentation will be critical for actors who may find themselves having to defend similar claims.

read more
NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

by | Mar 2, 2025 | , , ,

The wait is finally over!! Our brand-new, UPDATED 42 C.F.R. Part 2 Helper compliance package is now live for current members of Legal HIE. Loaded with carefully crafted checklists, tools, sample forms, policies, and training resources, all updated for the Part 2 Final Rule, it’s just what the doctor ordered for every organization to stay miles ahead of the February 16, 2026 compliance deadline! Read our new blog post for more information about what’s included with our Part 2 Helper and to get access to a sample checklist to update your Part 2 consents!

read more
FTC Expands Health Breach Notification Rule: What It Means for Health Apps, HIEs, and the Future of Health Data Privacy

FTC Expands Health Breach Notification Rule: What It Means for Health Apps, HIEs, and the Future of Health Data Privacy

by | May 15, 2024 | , , , ,

The FTC has finalized significant changes to the Health Breach Notification Rule (HBNR), a regulation originally designed to ensure that personal health records (PHRs) and similar digital health platforms notify consumers in the event of a data breach. These updates clarify the rule’s applicability to technologies outside the scope of HIPAA and impose stricter notification and transparency requirements on companies handling sensitive health data. The amendments also carry broad implications for HIEs and HINs, which are at the forefront of data interoperability and patient information sharing.

read more
AHA Writes Letter to HHS and Pushes Back on OCR’s Online Tracking Guidance

AHA Writes Letter to HHS and Pushes Back on OCR’s Online Tracking Guidance

by | May 30, 2023 | , , ,

After OCR created a Morton’s Fork for hospitals and health systems by publishing its HIPAA Guidance on the Use of Online Tracking Technologies, the American Hospital Association initially stayed out of the fray. Not any more. In its letter dated May 22, 2023, AHA makes its case to HHS as to why OCR’s Online Tracking Guidance should be suspended or amended.

read more
FTC Finds that Ovulation Tracking App Violated the Health Breach Notification Rule

FTC Finds that Ovulation Tracking App Violated the Health Breach Notification Rule

by | May 18, 2023 | , , ,

The FTC releases its second enforcement action under the Health Breach Notification Rule in just over 3 months. This time, the FTC found that a fertility app called Premom shared sensitive fertility information with third parties for unauthorized purposes. While Premom told its users that it would not share their health information with third parties without users’ consent, it used third-party automated tracking tools known as software development kits (SDKs) which shared highly sensitive health information (e.g., data about an individual user’s sexual & reproductive health, pregnancy status etc.) for advertising and marketing purposes.

read more
Big Changes to Big Breaches of Data and Notification Requirements Coming Soon!

Big Changes to Big Breaches of Data and Notification Requirements Coming Soon!

by | Aug 21, 2020 | , ,

Yesterday, the period for public comment on the FTC’s Health Breach Notification Rule closed.  The FTC’s Health Breach Notification Rule requires vendors of PHRs and PHR-related entities to notify the FTC if they experience a breach of security involving unsecured health information. Another area of change to Breach Notification is arising out of the CARES Act which was was enacted into law on March 27, 2020 and is making significant changes 42 C.F.R. Part 2.  Among other changes that the CARES Act is introducing, it creates an entirely new obligation on Part 2 providers to notify SAMHSA of uses and disclosures of Part 2 data in any manner not authorized under Part 2!  To date, 42 CFR Part 2 did NOT include an independent obligation to report or notify any agency (i.e., SAMHSA or HHS) of any use or disclosure of Part 2 information which was in violation of 42 CFR  Part 2.

read more
Mind your Breach Insurance and Vendor Contracts

Mind your Breach Insurance and Vendor Contracts

by | Jul 17, 2020 | , ,

A preliminary class action data breach settlement involving UnityPoint Health should prompt health care organizations to take a second look at their breach insurance coverage as well as their contracts with vendors who process data on their behalf. Adequate cyber and breach insurance coverage is paramount and should be commensurate with the health care organization’s size, operations. Additionally, health care organizations should pay close attention to their vendor contracts, particularly limitation of liability clauses, hold harmless provisions and indemnification provisions in health IT and other contracts.

read more
Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA

Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA

by | May 11, 2020 | , ,

Evaluating incidents that affect protected health information (PHI) to determine whether they must be reported under HIPAA’s Breach Notification Rule is a delicate balancing act.  On the one hand, a HIPAA covered entity will want to avoid reporting an incident to the Secretary of HHS if it is not required to do so under the standards set forth in HIPAA’s Breach Notification Rule. On the other hand, a HIPAA covered entity that fails to report a HIPAA Breach risks being exposed to penalties from OCR for each day such Breach was not reported when it should have been. A recent Becker’s Health IT article brought attention to a Notice posted by Ann & Robert H. Lurie Children’s Hospital of Chicago

read more

Archives